© 1999, cisco systems, inc. 1-1 securing routers against hackers and denial of service attacks lou...

© 1999, Cisco Systems, Inc. 1-1

Securing Routers Against Hackers and

Denial of Service AttacksLou Ronnau

[email protected]

© 1999, Cisco Systems, Inc. www.cisco.com

OutlineOutline

IP Refresher

Attack Types

Network Layer Attacks

Transport Layer Attacks

Application Layer Attacks


Outline (cont.)Outline (cont.)

Reconnaissance

Initial Access

Questions


IP Refresher


TCP/IP Protocol Stack

Application

Presentation

Session

Transport

Network

Data Link

Physical

Application

Transport

Internet

Network Interface

Ethernet, 802.3, 802.5, ATM, FDDI, and so on

IP Conceptual LayersOSI Reference Model


Internet Layer Refresher

Application

Transport

Network Interface

IP Datagram

IP Layer

Internet

VERS HLEN Type of Service

Total Length

ID Flags Frag Offset

TTL

Protocol Header Checksum

Src IP Address

Dst IP Address

IP Options

Data

Internet Control Message Protocol (ICMP)

Internet Protocol (IP)

Address Resolution Protocol (ARP)

Reverse Address Resolution Protocol (RARP)


Transport Layer Refresher

Transmission Control Protocol (TCP)

User Datagram Protocol (UDP)

Src Port

Dst Port Seq # Ack # HLEN Reserved

Code Bits Window

TCP Segment Format

Transport Layer

Check Sum

Urgent Ptr Option Data

Src Port

Dst Port

Length

UDP Segment Format

Check Sum

Data

Application

Network Interface

Internet

Transport


Port Numbers

TCP UDP

443

Application Layer

Transport Layer

Port Numbers

Telnet SMTP DNS HTTP SSL DNS TFTP

23 25 53 80 6953


Transport

Network Interface

Internet

Application Layer Refresher

Web Browsing(HTTP, SSL)

File Transfer (FTP, TFTP, NFS, File Sharing)

E-Mail (SMTP, POP2, POP3)

Remote Login (Telnet, rlogin)

Name Management (DNS)

Microsoft Networking Services

Application Layer

Application


Attack Types


Attack Types

Context:(Header)

Content:(Data)

“Atomic”Single Packet

“Composite”Multiple Packets

Ping of Death

Land Attack

Port Sweep

SYN Attack

TCP Hijacking

MS IE Attack

E-mail Attacks

Telnet Attacks

Character Mode Attacks


Attack Types (cont.)

Reconnaissance• Host scan, port scan, SMTP VRFY

Access• Spoofing, session hijacking

Denial of service• SYN attacks, ping-of-death, teardrop, WinNuke

Privilege escalation• MS IE%2ASP, ftp cwd ~root


Demystifying Common Attacks

Transport

Internet

Network Interface

Java, ActiveX, and Script Execution

E-Mail EXPN

WinNukeSYN Flood

UDP Bomb

Port Scan

Landc

Ping Flood

Ping of Death

IP Spoof

Address Scanning

Source Routing

Sniffer/Decoding

MAC Address Spoofing

Application


Network Layer Attacks


Application

TCP

IPIP

Data Link

Physical

UDP

IP

IP Layer AttacksIP Layer Attacks

• IP Options

• IP Fragmentation

• Bad IP packets

• Spoofed Addresses


IP Fragmentation AttacksIP Fragmentation Attacks

IP Fragment Attack• Offset value too small

• Indicates unusually small packet

• May bypass some packet filter devices

IP Fragments Overlap• Offset value indicates

overlap

• Teardrop attack

Data . . .

Options . . .

Destination IP

Source IP

TTL Proto Checksum

Identification Flg Frag Offset

Ver Len Serv Length

Frag Offset


IP Fragmentation

Routers and Internet Gateways are stateless devices

Improperly fragmented packets are forwarded normally with other traffic

Requires “Statefull inspection”


Bad IP Packet AttacksBad IP Packet Attacks

Unknown IP Protocol• Proto=invalid or undefined

Impossible IP Packet• Same source and

destination

• Land attackData

Options

Destination IP

Source IP

TTL Proto Checksum


Ver Len Serv Length

Proto

Source IP

Destination IP


IP Address Spoofing

Source IP address set to that of a trusted host or nonexistant host

Access-lists applied at the source are the only protection

Best applied at the connection to the Internet


Spoofing: Access by Impersonationinterface Serial 1 ip address 172.26.139.2 255.255.255.252ip access-group 111 inno ip directed-broadcast!interface ethernet 0/0ip address 10.1.1.100 255.255.0.0no ip directed-broadcastAccess-list 111 deny ip 127.0.0.0 0.255.255.255 anyAccess-list 111 deny ip 10.1.0.0 0.0.255.255 anyAccess-list 111 permit ip any any

IP (D=10.1.1.2 S=10.1.1.1)IP (D=10.1.1.2 S=10.1.1.1)10.1.1.2

172.16.42.84


Data . . .

Options . . .

Destination IP

Source IP

TTL Proto Checksum


Ver Len Serv Length

HEADER

Options . . .Options . . .

PAY

IP OptionsIP Options

• IP Header– 20 bytes

• IP Options– Adds up to 40

additional bytes

– Only 8 valid options


Copy:0—don’t include options in packet fragments

1—include options in packet fragments

Class:0—Network Control

2—Debugging

Option: one of eight valid options

Length: number of bytes in option (if used by option)

Parameters: parameters passed by the option

Last option is always option 0.

Copy:0—don’t include options in packet fragments

1—include options in packet fragments

Class:0—Network Control

2—Debugging

Option: one of eight valid options

Length: number of bytes in option (if used by option)

Parameters: parameters passed by the option

Last option is always option 0.

IP Options (cont.)IP Options (cont.)

0 1 2 3 4 5 6 7

CP Class Option #

0 1 2 3 4 5 6 7

Length (if used) Parameters... x 0 0 0 0 0 0 0

0 1 2 3 4 5 6 70 1 2 3 4 5 6 7


IP Options (cont.)IP Options (cont.)

option #2 rarely unused


option #7 used to record the route (gateways) that a packet has traversed


Option #Option # Option NameOption Name

00 End of OptionsEnd of Options

11 No OperationNo Operation

22 SecuritySecurity

33 Loose Source RteLoose Source Rte

44 TimestampTimestamp

77 Record RouteRecord Route

88 Stream IDStream ID

99 Strict Source RteStrict Source Rte


IP Source Routing

two options: #3 loose source routing and #9 strict source routing

can be used to bypass filters (acls)

some machines with multiple interfaces route s/r packets even with ip forwarding turned off

router command:no ip source route


Application

TCP

IP

Data Link

Physical

UDP

IP

ICMP AttacksICMP Attacks

• ICMP Traffic Records

• Ping Sweeps

• ICMP Attacks


Type:0—Echo Reply 15—Information Request8—Echo Request 16—Information Reply13—Timestamp Request 17—Address Mask Request14—Timestamp Reply 18—Address Mask Reply

Code: codes associated with each ICMP typeChecksum: checksum value of header fields (exc. checksum)

Type:0—Echo Reply 15—Information Request8—Echo Request 16—Information Reply13—Timestamp Request 17—Address Mask Request14—Timestamp Reply 18—Address Mask Reply


Identifier

Type Code Checksum

ICMP Query MessageICMP Query Message

0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7

Data . . .

Sequence #

HEADER


ICMP Query Message (cont.)ICMP Query Message (cont.)

Echo Reply• Type=0

Echo Request• Type=8

Timestamp Request• Type=13

Timestamp Reply• Type=14

Destination IP

Source IP

TTL Proto Checksum


Ver Len Serv Length

ICMP

TypeType Code Checksum

IP

HEADER

ICMP


Type:3—Destination Unreachable 11—Time Exceeded4—Source Quench 12—Parameter Problem5—Redirect


Type:3—Destination Unreachable 11—Time Exceeded4—Source Quench 12—Parameter Problem5—Redirect


Unused

Type Code Checksum

ICMP Error MessageICMP Error Message

HEADER

0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7

IP Header+

8 bytes of Original Datagram Data


ICMP Error MessagesICMP Error Messages

Unreachable• Type=3

Source Quench• Type=4

Redirect• Type=5

Time Exceeded• Type=11

Parameter Problem• Type=12

Destination IP

Source IP

TTL Proto Checksum


Ver Len Serv Length

ICMP


IP

HEADER

ICMP


ICMP AttacksICMP Attacks

Fragmented ICMP packet• Flag=more fragments or

Offset /= 0

ICMP Floods• Many ICMP packets

• To single host

Destination IP

Source IP

TTL Proto Checksum


Ver Len Serv Length

ICMP

Type Code Checksum

IP

HEADER

ICMP

Length


ICMP Attacks (cont.)ICMP Attacks (cont.)

ICMP Smurf attack• Type=0 (echo reply)

• Many packets

• To single host

ICMP Ping Of Death• Flag=last fragment

• Offset*8 + Length > 65535

Destination IP

Source IP

TTL Proto Checksum


Ver Len Serv Length

Proto


IP

HEADER

ICMP

Flg Frag Offset


Smurfs

ICMP echo request with spoofed source address

Destination address set to the network broadcast address of a network (so called ping amplifier)

All hosts on the pinged network reply to the spoofed address

interface command:no ip directed broadcast


Ping of Death

IP ping > 65535 bytes (ICMP echo request)

Transmitted in fragments

Crashes some operating systems on reassembly


Loki AttackLoki Attack

Loki is a tool used to hide hacker traffic inside ICMP tunnel. It requires root access.

Loki ICMP tunnel• Original Loki

• Phrack Issue 51

Modified Loki ICMP tunneling• Modified Loki version


Transport Layer Attacks


TCP AttacksTCP Attacks

• TCP Traffic Records

• TCP Port Scans

• TCP Host Sweeps

• Mail Attacks

• FTP Attacks

• Web Attacks

• NetBIOS Attacks

• SYN Flood & TCP Hijack Attacks

• TCP Applications

Application

TCP

IP

Data Link

Physical

UDPTCP

Application


TCP Port ScansTCP Port Scans

A TCP Port Scan occurs when one host searches for multiple TCP services on a single host.

• Common scans– use normal TCP-SYN

• Stealth scans– use FIN, SYN-FIN, null, or

PUSH

– and/or fragmented packets

Destination IP

Source IP

TTL TCP Checksum


Ver Len Serv Length

IP

TCP

Source Port

Source Sequence Number

Acknowledge Sequence Num

Len Res WindowFlagsChecksum Urgent Pointer

Dest Port


TCP Port Scan AttacksTCP Port Scan Attacks

Port Sweep• SYNs to ports < 1024

• Triggers when type of sweep can’t be determine

SYN Port Sweep• SYNs to any ports

Frag SYN Port Sweep• Fragmented SYNs to many

ports

FIN port sweep• FINs to ports < 1024

Frag FIN port sweep• Fragmented FINs to ports <

1024

High port sweep• SYNs to ports > 1023

• Triggers when type of sweep can’t be determined

FIN High port sweep• FINs to ports > 1023


TCP Port Scan Attacks(cont.)TCP Port Scan Attacks(cont.)

Frag High FIN port sweep• Fragmented FINs to ports >

1023

Null port sweep• TCPs without SYN, FIN, ACK,

or RST to any ports

Frag Null port sweep• Fragmented TCPs without

SYN, FIN, ACK, or RST to any ports

SYN FIN port sweep• SYN-FINs to any port

Frag SYN/FIN port sweep• Fragmented SYN/FINs to any

ports

Queso sweep• FIN, SYN/FIN, and a PUSH


TCP Host SweepsTCP Host Sweeps

A TCP Host Sweep occurs when one host searches for a single TCP service on multiple hosts.• Common scans

– use normal TCP-SYN

• Stealth scans– use FIN, SYN-FIN, and null

– and/or fragmented packets

Destination IP

Source IP

TTL TCP Checksum


Ver Len Serv Length

IP

TCP

Source Port




Dest Port


TCP Host Sweep AttacksTCP Host Sweep Attacks

SYN host sweep• SYNs to same port

Frag SYN host sweep• Fragmented SYNs to same port

FIN host sweep• FINs to same port

Frag FIN host sweep• Fragmented FINs to same port

NULL host sweep• TCPs without SYN, FIN, ACK, or RST

to same port

Frag NULL host sweep• Fragmented packets without SYN,

FIN, ACK, or RST to same port

SYN/FIN host sweep• SYN-FINs to same port

Frag SYN/FIN host sweep• SYN-FINs to same port


SYN Flood and TCP HijacksSYN Flood and TCP Hijacks

Half-Open SYN attack• DoS-SYN flood attack

• Ports 21, 23, 25, and 80

TCP Hijacking• Access-attempt to take over a TCP session


TCP Intercept Protects Networks Against Syn floods

Connection Transferred

Connection Established

Request Intercepted

TCP SYN flooding can overwhelm server and cause it to deny service, exhaust memory or waste processor cycles

TCP Intercept protects network by intercepting TCP connection requests and replying on behalf of destination

Can be configured to passively monitor TCP connection requests and respond if connection fails to get established in configurable interval


TCP InterceptTCP Intercept

Enable TCP Intercept (global configuration mode)• access-list access-list-number {deny | permit} tcp any destination

destination-wildcard

• ip tcp intercept list access-list-number

Set the TCP Intercept Mode (global configuration mode)• ip tcp intercept mode {intercept | watch}

Set TCP Intercept Drop Mode• ip tcp intercept drop-mode {oldest | random} ;def=oldest

Change the TCP Intercept Timers• ip tcp intercept watch-timeout seconds ;def=30 seconds


TCP HijacksTCP Hijacks

TCP Hijacking

Works by correctly guessing sequence numbers

Newer O/S’s & firewalls eliminate problem by randomizing sequence numbers

TCP Hijacking Simplex Mode• One command followed by RST


Land.c Attack

Spoofed packet with SYN flag set

Sent to open port

SRC addr/port same as DST addr/port

Many operating systems lock up


UDP AttacksUDP Attacks

• UDP Traffic Records

• UDP Port Scan

• UDP Attacks

• UDP Applications

Application

TCP

IP

Data Link

Physical

UDPUDP

Application


UDP Port ScansUDP Port Scans

UDP port scans• One host searches for

multiple UDP services on a single host

Destination IP

Source IP

TTL UDP Checksum


Ver Len Serv Length

IP

UDP

Source Port

Length Checksum

Dest Port

Data . . .


UDP AttacksUDP Attacks

UDP flood (disabled)• Many UDPs to same host

UDP Bomb• UDP length < IP length

Snork• Src=135, 7, or 19; Dest=135

Chargen DoS• Src=7 & Dest=19

Destination IP

Source IP

TTL UDP Checksum


Ver Len Serv Length

IP

UDP

Source Port

Length Checksum

Dest Port

Data . . .


Reflexive Access Lists

Allows the packet filtering mechanismto remember state

Reflexive ACLs are transparent until activated by matching traffic

• Protocol support—TCP, UDP

• Alternative to establishedestablished key word

• Available in Cisco IOS release 11.3


Reflexive Access Lists

Router monitors outgoing connection

Creates dynamic permit inbound ACL using IP addresses and port numbers

Source Port

TCP Header

IP HeaderDestination Addr

Source Addr

# 1

Intial Sequence#

Destination Port

Flag

Ack # 2 : permit tcp 200.150.50.111 192.34.56.8 eq telnet

200.150.50.111192.34.56.8

1026

23

49091

Syn


Cisco IOS Firewall Feature Set

Context-Based Access Control (CBAC)• Stateful, per-application filtering• Support for advanced protocols

(H.323, SQLnet, RealAudio, etc.)

Denial of Service detection and preventionControl downloading of Java appletsReal-time alertsTCP/UDP transaction logConfiguration and management

Enhanced Security for the Intelligent InternetEnhanced Security for the Intelligent Internet


What Is “Context-Based Access Control” (CBAC)?

Tracks state and context of network connections to secure traffic flow

Inspects data coming into or leaving router

Allows connections to be established by temporarily opening ports based on payload inspection

Return packets authorized for particular connection only via temporary ACL


Cisco IOS Context-Based Access Control (CBAC) Application Support

Transparent support for common TCP/UDP internet services, including:• WWW, Telnet, SNMP, finger, etc.

FTP

TFTP

SMTP

Java blocking

BSD R-cmds

Oracle SQL Net

Remote Procedure Call (RPC)

Multimedia applications:

• VDOnet’s VDO Live

• RealNetworks’ RealAudio

• Intel’s InternetVideo Phone (H.323)

• Microsoft’s NetMeeting (H.323)

• Xing Technologies’ Streamworks

• Whitepine’s CuSeeMe


Cisco IOS Firewall Feature Set

Per user authentication and authorization (“authentication proxy”)Intrusion detection technologyIP Fragmentation defense Dynamic per-application port mappingConfigurable alerts and audit trail SMTP-specific attack detectionNew CBAC application support• MS-Networking, MS Netshow


Cisco IOS Firewall:Authentication ProxyCisco IOS Firewall:

Authentication Proxy

HTTP-initiated Authentication

Valid for all types of application traffic

Provides dynamic, per user authentication and authorization via TACACS+ and RADIUS protocols

Works on any interface type for inbound or outbound traffic


Cisco IOS Firewall:Authentication Proxy Operation

User

3. Authenticate

AAA Server

Cisco IOS Firewall/Cisco

7200 series router

S0E0 ISPISPandand

InternetInternet

1. User HTTP request

2. Get Uid/Password

4. Download profile, build dynamic ACL on router

5. Refresh/reload URL

User


Application Layer Attacks


MailMail

TCP port 25

Attacks include:• Reconnaissance

• Access

• DOS

Destination IP

Source IP

TTL TCP Checksum


Ver Len Serv Length

IP

TCP

Source Port



Len Res WindowFlags

Checksum Urgent Pointer

Dest Port=25

Data . . .


Mail AttacksMail Attacks

smail attack

sendmail invalid recipient

sendmail invalid sender

sendmail reconnaissance

Archaic sendmail attacks

sendmail decode alias

sendmail SPAM

Majordomo exec bug

MIME overflow bug

Qmail Length Crash


File Transfer Protocol (FTP)File Transfer Protocol (FTP)

TCP port 21


• Access

Destination IP

Source IP

TTL TCP Checksum


Ver Len Serv Length

IP

TCP

Source Port



Len Res WindowFlags


Dest Port=21

Data . . .


FTP AttacksFTP Attacks

FTP SITE command attempted

FTP SYST command attempted

FTP CWD ~root

FTP Improper address specified

FTP Improper port specified


WebWeb

TCP port 80

Attacks include:• Access

Destination IP

Source IP

TTL TCP Checksum


Ver Len Serv Length

IP

TCP

Source Port



Len Res WindowFlags


Dest Port=80

Data . . .


Web AttacksWeb Attacks

phf attack

General cgi-bin attack

url file requested

.lnk file requested

.bat file requested

HTML file has .url link

HTML file has .lnk link

HTML file has .bat link

campas attack

glimpse server attack

IIS View Source Bug

IIS Hex View Source Bug

NPH-TEST-CGI Bug

TEST-CGI Bug

IIS DOT DOT VIEW Bug

IIS DOT DOT EXECUTE Bug

IIS DOT DOT DENIAL Bug


Web Attacks (cont.)Web Attacks (cont.)

php view file Bug

SGI wrap bug

php buffer overflow

IIS Long URL Crash

View Source GGI Bug

MLOG/MYLOG CGI Bug

Handler CGI Bug

Webgais Bug

WebSendmail Bug

Webdist Bug

Htmlscript Bug

Performer Bug

WebSite win-c-sample buffer overflow

WebSite uploader

Novell convert bug

finger attempt

Count Overflow


DNS AttacksDNS Attacks

UDP Port 53


DNS HINFO Request• Potential reconnaissance

DNS Zone Transfer Request

• Potential reconnaissance

DNS Zone Transfer from other port

• Different port than 53

DNS request for all records• All records requested, not just one zone


Application Exploit AttacksApplication Exploit Attacks

Sun Kill Telnet DOS

• port 23

Finger Bomb• port 79

rlogin -froot• port 513

Imap Authenticate Overflow• port 143

Imap Login Overflow• port 143

Pop Overflow• port 110


Application Exploit Attacks (cont.)

Application Exploit Attacks (cont.)

Inn Overflow• port 119

Inn Control Message• port 119

IOS Telnet buffer overflow• port 23

IOS Command History Exploit• port 25

Cisco IOS Identity• port 1999


Server Message Blocks (SMB)Server Message Blocks (SMB)

• Native NT file-sharing protocol

• Samba is UNIX port of SMB

• Common Internet File System (CIFS)– extension of SMB


SMB TCP/UDP PortsSMB TCP/UDP Ports

• 135 - Remote Procedure Call Service

• 137 - NetBIOS Name Service (UDP)

• 138 - NetBIOS Datagram Service (UDP)

• 139 - NetBIOS Session Service


NetBIOSNetBIOS

TCP Port 139


• Access

• DOS

Destination IP

Source IP

TTL TCP Checksum


Ver Len Serv Length

IP

TCP

Source Port



Len Res WindowFlags


Dest Port=139

Data . . .


NetBIOS AttacksNetBIOS Attacks

NETBIOS OOB data

NETBIOS Stat

NETBIOS Session Setup Failure

Windows Guest login

Windows Null Account Name

Windows Password File Access

Windows Registry Access

Windows RedButton


Capture password file• FTP “RETR passwd”

loadmodule Attack• Telnet “IFS=/”

• Rlogin “IFS=/"

Planting .rhosts• Telnet “+ +”

• Rlogin “+ +”

Accessing shadow passwd• Telnet “/etc/shadow”

• Rlogin “/etc/shadow”

TCP Application AttacksTCP Application Attacks

TCP application attacks are attacks against various TCP applications.


UDP Application AttacksUDP Application Attacks

Back Orifice• port 31337

Tftp passwd file attempt• port 69

Destination IP

Source IP

TTL UDP Checksum


Ver Len Serv Length

IP

UDP

Source Port

Length Checksum

Dest Port

Data . . .


RPC ServicesRPC Services

Applications do not use well-known ports• Use portmapper

– Registers applications

– TCP/UDP port 111

Attacks include• Reconnaissance

• Access

• DOS

2488 GET PORT # 111

2488 USE PORT # 2049 111

2488 NFS REQUEST 2049

CLIENTSERVER


RPC AttacksRPC Attacks

RPC port registration• Remotely registering a

service that is not running

RPC port unregistration• Remotely unregistering a

running service

RPC dump• rpcinfo -p <host>

Proxied RPC request• Bypassess RPC

authentication


RPC Attacks (cont.)RPC Attacks (cont.)

RPC Port Sweeps• Request service on

many ports on same host

• Stealth reconnaissance

RSTATD

RUSERSD

NFS

MOUNTD

YPPASSWD

SELECTION SVC

REXD

STATUS

TTDB


RPC Attacks (cont.)RPC Attacks (cont.)

Portmapper Requests• Requests for services

known to be exploited

• In most cases should not be used

• If needed, filter signatures

ypserv

ypbind

yppasswd

ypupdated

ypxfrd

mountd

rexd


RPC Attack (cont.)RPC Attack (cont.)

rexd attempt• Accessing rexd

• Allows remotely running commands

• Should not be allowed

• Unknown by some administrators

RPC Services with Buffer Overflow Vulnerabilities:•statd

•ttdb

•mountd


Ident AttacksIdent Attacks

Ident is a protocol to prevent hostname, address, and username spoofing.

• TCP port 113

Ident buffer overflow• IDENT reply too large

Ident newline• IDENT reply with newline

plus more data

Ident improper request• IDENT request too long or

non-existent ports


IP Servers on Routers

Router commands to turn off services

no service tcp-small-servers

no service udp-small-servers


Trust ExploitsTrust Exploits

• Spoofing Trusted User

• Spoofing Trusted Host

• Planting ~/.rhosts or hosts.equiv via Alternate Methods


Reconnaissance


ReconnaissanceReconnaissance

Unauthorized discovery and mapping of systems, services, or vulnerabilities


Reconnaissance MethodsReconnaissance Methods

• Common commands or administrative utilities– nslookup, ping, netcat, telnet, finger, rpcinfo, File

Explorer, srvinfo, dumpacl, and so on

• Hacker tools– SATAN, NMAP, custom scripts, and so on


Discovering the TargetsDiscovering the Targets

• Know thy target– Domain name, IP Address space

(i.e victim.com, 192.168.X.X)

– whois, nslookup

• Ping Sweeps– Network mapping

– Identify potential targets


Ping SweepsPing Sweeps

ICMP network sweep with Echo• Type=8

ICMP network sweep with Timestamp

• Type=13

ICMP network sweep with Address Mask

• Type=17

Destination IP

Source IP

TTL Proto Checksum


Ver Len Serv Length

ICMP


IP

HEADER

ICMP


Port ScansPort Scans

• Port Scans (Probing)– Determine services being offered

(e.g. telnet, ftp, http, etc.)

• Post Port Scan– Determine Operating System Information

– Determine other information(e.g. usernames, hostnames, etc.)


TCP Port ScansTCP Port Scans

Many O/S’s haven’t implemented TCP/IP according to the letter of the “law” (rfc’s)

They respond differently to TCP packets with various flags set

Destination IP

Source IP

TTL TCP Checksum


Ver Len Serv Length

IP

TCP

Source Port




Dest Port


Network Address Translation

Inside NetworkInside Network

10.1.1.2

132.22.2.1

INTERNET

Outside NetworkOutside Network

• Hides internal addresses• Provides dynamic or static translation of private addresses to registered IP

addresses• Supports true NAT, Overload (same as PAT), and

Inside LocalInside LocalIP AddressIP Address

Inside GlobalInside GlobalIP AddressIP Address

10.1.1.210.1.1.210.1.1.310.1.1.3

132.22.2.100132.22.2.100132.22.2.101132.22.2.101


Network Address TranslationNetwork Address Translation

Each translation consumes approximately 160 bytes of memory

PAT (overload) translations limited to 4000 entries

Supports any TCP/UDP application that does not carry source and/or destination IP addresses in the payload

Application support for those that DO carry source and/or destination IP address in payload• ICMP, FTP (including port and pasv commands), NetBIOS over

TCP/IP (datagram, name, and session services), RealAudio, CuSeeMe, StreamWorks, DNS ‘A’ and ‘PTR’ records, NetMeeting, VDOLive, Vxtreme, IP Multicast (source address translation only)


Initial Access


AccessAccess

Unauthorized data manipulation, system access, or privileged escalation


Access MethodsAccess Methods

• Exploit easily guessed passwords– Brute force

– Cracking tools

• Exploit mis-administered services– IP services (anonymous ftp, tftp, remote registry

access, nis, and so on)

– Trust relationships (spoofing, r-services, and so on)

– File sharing (NFS, Windows File Sharing)


Access Methods (cont.)Access Methods (cont.)

• Exploit application holes– Mishandled input data

• Access outside application domain, buffer overflows, race conditions

– Protocol weaknesses

• Fragmentation, TCP session hijack

• Trojan horses– Programs to plant a backdoor into a host


BackdoorsBackdoors

• BackOrifice– Win 95/98 Server Only

– Windows and Unix clients

– Configurable Ports (Default UDP 31337)

– Encrypted communications

• BackOrifice—ButtPlugs– Allow new features to be added easily


Backdoors (cont)Backdoors (cont)

• NetBus (Freeware)– Remote administration tool

– Listens on TCP Ports 12345, 12346

– Trojan program

– Runs on Win95/98 and NT


Denial of Service MethodsDenial of Service Methods

• Resource Overload– Disk space, bandwidth, buffers, ...

– Ping flood: smurf, ...

– SYN floods: neptune, synk4, ...

– Packet storms: UDP bombs, fraggle, ...

• Out of Band Data Crash– Oversized packets: ping of death, …

– Overlapped packets: winnuke, ...

– Un-handled data: teardrop, ...


Other Areas to Consider

Disable:•IP helper addresses: no ip helper•IP broadcasting: no ip broadcast-address, no ip directed-broadcast•source routing: no ip source-route•r-commands: no ip rcmd rcp-enable• no ip rsh-enable•IDENT: no ip identd•CDP: no cdp run•dynamic circuits: no frame-relay inverse-arp•other “features” no proxy-arp, no ip redirects


More Info

•http://www.2600.com/•http://www.cultdeadcow.com/•http://www.l0pht.com/•http://www.hackernews.com/•http://www.cert.org/•http://www.sans.org/•http://www.rootshell.com/•http://www.securityfocus.com/•http://www.cisco.com/security


In Summary ….

May You Live in Interesting Times!!

© 1999, cisco systems, inc. 1-1 securing routers against hackers and denial of service attacks lou...

Documents

ip refresher slide

permit ip

cisco systems

paypay ip options ip

bytes ip options

ip accessgroup

ip fragmentation routers

internet slide